Saturday, June 29, 2013

MIRLN --- 9-29 June 2013 (v16.09)

MIRLN --- 9-29 June 2013 (v16.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

ABA Journal/Ross Contest for Short Fiction (deadline 31 July 2013) - The ABA Journal is accepting entries for the 2013 ABA Journal/Ross Contest for Short Fiction. Entries should be original works of fiction, no longer than 7,500 words. Entries should illuminate the role of law and/or lawyers in modern life. The winner will receive a prize of $3,000. View the full rules and entry form here: http://www.abajournal.com/contests/ross_essay

top

Polley: In late July the ABA will publish The ABA Cybersecurity Handbook: A Resources for Attorneys, Law Firms and Business Professionals , with chapters on sources of the risk, legal and ethical obligations, practice-setting specifics, planning and recovery, and insurance. Through the ABA Cybersecurity Legal Task Force I've been heavily involved in this, and think it'll be an invaluable resource for US lawyers of all stripes.

top

NEWS

Prosecutors' Use of Mobile Phone Tracking is 'Junk Science,' Critics Say (ABA Journal, 1 June 2013) - At his trial last year on federal kidnapping and conspiracy charges, prosecutors sought to introduce cell tower evidence purporting to show that calls placed from defendant Antonio Evans' cellphone could have come from his aunt's house, where the victim was thought to have been held for ransom. That's not unusual. Hardly a day goes by when some prosecutor doesn't go to court armed with cell tower evidence he or she claims places a defendant in the vicinity of a crime the defendant is accused of committing. What made the Evans case unusual was the fact that the defense even put up a fight to keep the cell tower evidence out of the trial. Evans' lawyers said the technique has not been shown to be scientific. Such testimony usually goes unchallenged, presumably because most defense lawyers either accept at face value prosecutors' assurances that cell tower evidence is scientific or because they don't know enough about the underlying technology to understand its limitations. And, on the few occasions that it has been challenged, the courts have always let it in. Until U.S. District Judge Joan H. Lefkow of Chicago came along, that is. Lefkow, who tried the Evans case, took an in-depth look at the cell tower evidence the government was proposing to use and found it wanting. The judge wrote that "multiple factors can affect the signal strength of a tower" and an FBI special agent's "chosen methodology has received no scrutiny outside the law enforcement community." As a result, the court concluded that the government had not demonstrated that testimony was reliable, Lefkow wrote in an Aug. 29, 2012, opinion and order. Critics of cell tower tracking, as the practice is often called, say the decision is long overdue. It marks the first partial defense victory against the use of such evidence on Daubert grounds, the test formulated in the 1993 U.S. Supreme Court case Daubert v. Merrell Dow Pharmaceuticals. The test says that the judge should rule on the admissibility of scientific information submitted to assist the fact finder. It is used by federal and many state courts to determine the admissibility of expert testimony. Critics hope the case represents a turning point in the courts' general tendency to submit when dubious scientific techniques such as cell tower tracking are proffered. Michael Cherry, the CEO of Cherry Biometrics, a Falls Church, Va.-based consulting firm that has led the legal assault on cell tower tracking, calls it "junk science" that should never be admitted in any court for any reason. In fact, he can't believe that such an easily disproved technique, which has been around for a decade or more, is still routinely being used in court.

top

Mounting Evidence of the NSA Warrantless Surveillance (EFF, 6 June 2013) - EFF has so much evidence of the surveillance now that we've created a timeline . In brief, America first learned about the secret surveillance in a 2005 New York Times exposé which disclosed one aspect of the NSA's domestic surveillance program. We learned that the Bush Administration had been illegally tapping phone lines in the U.S. without warrants or court permission immediately following the 9/11 attacks. President Bush himself admitted at least some of what the government was doing. In early 2006, EFF received photos and blueprints from former AT&T technician Mark Klein. These undisputed documents show that AT&T installed a fiberoptic splitter at its facility in San Francisco which sends copies of all AT&T customers' emails, web browsing, and other Internet traffic to the NSA. Later in 2006, USA Today and a number of other newspapers published a story disclosing that the NSA had compiled a massive database of call records from American telecommunications companies, which included AT&T, Verizon, and Bell South. This was confirmed by a number of members of Congress. Information has continued to trickle out over time. In 2009, the New York Times reported the NSA was still collecting purely domestic communications in a "significant and systematic" way after the FISA Amendments Act was passed in 2008. [Polley: useful, broad review]

top

- and -

A.C.L.U. Files Lawsuit Seeking to Stop the Collection of Domestic Phone Logs (NYT, 11 June 2013) - The American Civil Liberties Union sued the Obama administration on Tuesday over its "dragnet" collection of logs of domestic phone calls, contending that the once-secret program - whose existence was exposed last week by a former National Security Agency contractor - is illegal and asking a judge to stop it and order the records purged. The lawsuit could set up an eventual Supreme Court test. It could also focus attention on this disclosure amid the larger heap of top secret surveillance matters revealed by Edward J. Snowden, the former N.S.A. contractor who came forward Sunday to say he was their source. The program "gives the government a comprehensive record of our associations and public movements, revealing a wealth of detail about our familial, political, professional, religious and intimate associations," the complaint says , adding that it "is likely to have a chilling effect on whistle-blowers and others who would otherwise contact" the A.C.L.U. for legal assistance. In other lawsuits against national security policies, the government has often persuaded courts to dismiss them without ruling on the merits by arguing that litigation would reveal state secrets or that the plaintiffs could not prove they were personally affected and so lacked standing in court. This case may be different. The government has now declassified the existence of the program. And the A.C.L.U. is a customer of Verizon Business Network Services - the recipient of a leaked secret court order for all its domestic calling records - which it says gives it standing.

top

- and -

Officials: NSA Doesn't Collect Cellphone-Location Records (WSJ, 16 June 2013) - The National Security Agency sweeps up data on millions of cellphones and Internet communications under secret court orders. But as it mounts a rigorous defense of its surveillance, the agency has disclosed new details that portray its efforts as tightly controlled and limited in scope, while successful in thwarting potential plots. As part of this program, however, the NSA chooses not to collect such data as the nearest cellphone tower used to place or receive a mobile call, U.S. officials said. In a statement released this weekend, the Office of the Director of National Intelligence said the NSA program doesn't collect "any cell phone locational information." Such information has been found to be of value to criminal investigators, who can use it to link suspects with crime scenes. However, the U.S. official said the data doesn't provide sufficient intelligence value to justify the resources that would be required to use it. [Polley: Why ever not? They certainly were collecting IP addresses for email (and maybe VoIP calls), which provide limited geographical information. Color me skeptical on this disclaimer. Also, parse their language very closely - when they say they "aren't collecting XXX-type of information under this program", they are NOT saying they don't collect it under some other program. These kinds of "lawyer tricks" are unbecoming and thwart serious debate.]

top

- and -

Here's Everything We've Learned About How the NSA's Secret Programs Work (Washington Post, 25 June 2013) -- In the last few days, the press has focused on NSA leaker Edward Snowden and his efforts to evade capture by the U.S. government. But the more important story is what we've learned about National Security Agency surveillance programs thanks to his disclosures. Any one of Snowden's revelations would have been a big story in its own right. But the news has been coming so rapidly that it's difficult to keep track of it all. So here's a handy guide to the recent revelations about what the NSA has been doing.

top

- and -

What We Don't Know About Spying on Citizens: Scarier Than What We Know (Bruce Schneier in The Atlantic, 6 June 2013) [Polley: part of a thorough, large compendium of US surveillance resources and information - one of the most useful CryptoGram issues ever.]

top

- and -

Latest Glenn Greenwald Scoop Vindicates One of the Original NSA Whistleblowers (Business Insider, 27 June 2013) - William Binney - one of the best mathematicians and code breakers in National Security Agency (NSA) history - worked for America's premier covert intelligence gathering organization for 32 years before resigning in late 2001 because he "could not stay after the NSA began purposefully violating the Constitution." Binney claims that the NSA took one of the programs he built, known as ThinThread, and started using the program and members of his team to spy on virtually every U.S. citizen under the code-name Stellar Wind. Thanks to NSA whistleblower/leaker Edward Snowden, documents detailing the top-secret surveillance program have now been published for the first time. And they corroborate what Binney has said for years. From Glenn Greenwald and Spencer Ackerman of The Guardian: "The collection of email metadata on Americans began in late 2001, under a top-secret NSA program started shortly after 9/11, according to the documents. Known as Stellar Wind, the program initially did not rely on the authority of any court - and initially restricted the NSA from analyzing records of emails between communicants wholly inside the US." However, the NSA subsequently gained authority to "analyze communications metadata associated with United States persons and persons believed to be in the United States," according to a secret Justice Department memo from 2007 that was obtained by the Guardian. Binney explains that how ThinThreat was built to track electronic activities - phone calls, emails, banking and travel records, social media , etc. - and map them to collect "all the attributes that any individual has" in every type of activity and build a real-time profile based on that data. Greenwald and Ackerman, citing the NSA documents, describe how mining metadata from U.S. phone calls and especially Internet communications, which continues to this day, allows the NSA to performs "contact chaining" by which the agency can "analyzed networks with two degrees of separation (two hops) from [a] target." [Polley: the NSA documents are fascinating -- http://s3.documentcloud.org/documents/717973/doc0171.pdf and http://s3.documentcloud.org/documents/717974/nsa-memo.pdf . Fascinating, and very depressing. Panopticon.]

top

- and finally -

The Criminal N.S.A. (NYT OpEd, 27 June 2013) - The twin revelations that telecom carriers have been secretly giving the National Security Agency information about Americans' phone calls, and that the N.S.A. has been capturing e-mail and other private communications from Internet companies as part of a secret program called Prism, have not enraged most Americans. Lulled, perhaps, by the Obama administration's claims that these "modest encroachments on privacy" were approved by Congress and by federal judges, public opinion quickly migrated from shock to "meh." It didn't help that Congressional watchdogs - with a few exceptions, like Senator Rand Paul, Republican of Kentucky - have accepted the White House's claims of legality. The leaders of the Senate Intelligence Committee, Dianne Feinstein, Democrat of California, and Saxby Chambliss, Republican of Georgia, have called the surveillance legal. This view is wrong - and not only, or even mainly, because of the privacy issues raised by the American Civil Liberties Union and other critics. The two programs violate both the letter and the spirit of federal law. No statute explicitly authorizes mass surveillance. Through a series of legal contortions, the Obama administration has argued that Congress, since 9/11, intended to implicitly authorize mass surveillance. But this strategy mostly consists of wordplay, fear-mongering and a highly selective reading of the law. Americans deserve better from the White House - and from President Obama, who has seemingly forgotten the constitutional law he once taught.

top

Spain Pushing for Right to Install Government Spyware on Citizens' Devices (ZDnet, 6 June 2013) - The Spanish government is looking to pass legislation that would allow police to install spyware on suspected criminal's computers, according to a report. Spanish daily El País reported on Tuesday that the bill, drawn up by the ministry of justice, is still in its draft phase. But should it be passed into law, police authorities would have the power to install spyware on computers, laptops, tablets, mobile phones and even USBs and external hard drives in order to harvest personal information about the owner. The bill states that targets would have to be suspected of terrorism, organised crime, child pornography, online fraud or cyber-bullying offences carrying a minimum sentence of three years for the use of spyware to be authorised. The spyware would be installed remotely, the report said, and the target machine would have to be physically located in Spain.

top

Passengers Can Challenge Gov't GPS Tracking, Court Finds (ArsTechnica, 7 June 2013) - Thanks to the United States v. Jones Supreme Court decision from January 2012, we now know that law enforcement cannot place a GPS tracking device on someone's car without a warrant. But what if you're merely a passenger in the car-not the owner-and efforts to track the presumed target also track you ? According to a new decision (PDF) this week from the Massachusetts Supreme Judicial Court, you'd still have standing to challenge the government's electronic surveillance of your movements . The Electronic Frontier Foundation, which filed an amicus brief in the case, applauded the ruling on Friday , noting that "while the decision only applies in Massachusetts, it's important for state courts and legislators to protect their citizens' privacy concerns and build momentum for other state courts and legislatures-as well as federal courts and Congress-to do the same."

top

When Artworks Crash: Restorers Face Digital Test (NYT, 9 June 2013) - Paintings fade; sculptures chip. Art restorers have long known how to repair those material flaws, so the experience of looking at a Vermeer or a Rodin remains basically unchanged over time. But when creativity is computerized, the art isn't so easy to fix. For instance, when a Web-based work becomes technologically obsolete, does updated software simply restore it? Or is the piece fundamentally changed? That was the conundrum facing the Whitney Museum of American Art, which in 1995 became one of the first institutions to acquire an Internet-made artwork. Created by the artist Douglas Davis, "The World's First Collaborative Sentence" functioned as blog comments do today, allowing users to add to the opening lines. An early example of interactive computer art, the piece attracted 200,000 contributions from 1994 to 2000 from all over the globe. By 2005 the piece had been shifted between computer servers, and the programmer moved on. When Whitney curators decided to resurrect the piece last year, the art didn't work. Once innovative, "The World's First Collaborative Sentence" now mostly just crashed browsers. The rudimentary code and links were out of date. There was endlessly scrolling and seemingly indecipherable text in a format that had long ago ceased being cutting edge. For a generation, institutions from the Museum of Modern Art in New York to the Pompidou Center in Paris have been collecting digital art. But in trying to restore the Davis work, which was finally debugged and reposted at the end of May, the Whitney encountered what many exhibitors, collectors and artists are also discovering: the 1s and 0s of digital art degrade far more rapidly than traditional visual art does, and the demands of upkeep are much higher. Nor is the way forward clear.

top

Ponemon Cost of Data Breach 2013 (Symantec, June 2013) - Symantec and the Ponemon Institute proudly present the 2013 Cost of Data Breach reports. The 2013 Cost of Data Breach Study: Global Analysis is based on the actual data breach experiences of 277 companies around the globe and takes into account a wide range of direct and indirect business costs. Country reports are available for the United States, United Kingdom, France, Germany, Italy, India, Japan, Australia, and Brazil (new). [Polley: Aggregate costs are largely unchanged from last year, but the cause of breaches has finally tipped: malicious activity now accounts for a plurality of breaches, and the per-record costs for such malicious breaches is $277, versus the average per-record cost of $188. See also Regulations' Impact on Data Breach Costs (BankInfo Security, 11 June 2013)]

top

Copies, Rights and Copyrights (Public Knowledge, 13 June 2013) - Without any education in copyright law, pretty much everyone can explain what they can legally do with the books, CDs, and DVDs that they own. They can use them, lend them, give them away, sell them, and so on. They can't copy them and distribute those copies at will. Transfer those same copyrighted works into the format of digital files, though, and the law starts to diverge sharply from intuition. It's an open question as to whether or not I can sell someone my "used" mp3s, even if I delete them after I send them over. A number of lawyers will still argue over whether or not I can rip my DVD of The Avengers to my iPad. And I may not be able to give my ebook collection to my heirs when I die. It's a basic feature of our laws that you have a lot of rights over your own physical property. You can sell your car to whomever you like, repair it, modify it up to (and well beyond) the bounds of taste or sanity, lend it to anyone, and even rent it out for others to use. The same is true of pretty much anything else you have in your possession- your umbrella, your coat, and your desk. But reach over to those software discs on your desk and something changes- you're standing on much shakier ground. And if you pull out an audio CD from the dusty stack next to those, things can get even more complicated. To a large extent, this difference is due to copyright law, which gives authors particular rights over how other people can use their creative works. This power contrasts, and occasionally conflicts with, ordinary property law. [Polley: there's much more in the rest of the report.]

top

Bank's New Cybersecurity Audits Catch Law Firms Flat-Footed (ABA Journal, 13 June 2013) - Under pressure from federal regulators, who are concerned about lax cybersecurity at law firms, the Bank of America Merrill Lynch has begun conducting audits on the law firms it does business with, to verify what they are doing to protect sensitive information. Although experts have been warning for some time that such audits were looming, a number of law firms have been caught flat-footed, assistant B of A general counsel Richard Borden told attendees at a recent conference for top in-house lawyers, Corporate Counsel reports. Similar audits may be looming in the United Kingdom, where regulators also are concerned that law firms may represent the "soft underbelly" of clients, such as defense contractors, that are likely to be targeted by hackers, according to ITV News . And in both the U.S. and north of the border, law firms and their clients are increasingly concerned about cybersecurity issues and how best to address them, Canadian Lawyer Magazine reports. Many insurers are now require that compliance programs be in place before they will place coverage for cybersecurity risks, the article notes. "It's been really interesting dealing with the law firms, because they're not ready," said Borden, an in-house cybersecurity lawyer who has been helping the group that's auditing the Bank of America's outside counsel. "Some of them are, I should say, but there are many that aren't. And it actually does pose a threat." Auditors are looking to see if the law firm has a cybersecurity plan, he told Corporate Counsel, and, if so, whether it is followed. Since mobile electronic devices are a likely weak area, one issue is whether confidential information sent to them is encrypted. Additionally, unwary employees clicking on malicious links in email remains a common cause of problems, just as it has been for years.

top

LawSauce App Helps You Locate Legal Materials Worldwide (Robert Ambrogi, 17 June 2013) - Two experts in legal research have developed an app for iOS and Android devices that they describe as like an international GPS for lawyers, helping you quickly locate the right web resource for a variety of legal research tasks. After trying it out over several days, I am impressed by how much it covers. In some cases, however, I was tripped up by anomalies in how the app organizes resources. I found myself confused about why certain resources were omitted, when it turns out some of them were there all along, only not where I thought I'd find them. More on that below. Called LawSauce , the app helps you sift through the variety of legal materials available online and find the ones best suited to help you find what you need. It covers more than 100 jurisdictions and includes more than 8,000 links. More links are being added all the time - in fact new links were added just this morning. The app was developed by Ruth Bird, law librarian at the Bodleian Law Library at the University of Oxford in the U.K., and Natalie Wieland, legal research skills adviser at the University of Melbourne Law School in Australia. The app works by guiding you to the appropriate resource. For example, let's say you want to find a case from the Constitutional Court of South Africa. The first screen in LawSauce asks you to select a task. From the drop-down menu, tap, "Find Cases." That takes you to the next screen, which asks you to select a region. Tap "Africa." The next screen asks you to select a jurisdiction, so from a list of African countries, you tap "South Africa." The next screen asks you to select a title. Various resources are listed, but you tap, "Constitutional Court of South Africa." Next you go to a screen that asks you select a resource. Only one is listed - the World Legal Information Institute. Click "Next" and you come to a page that summarizes your selections and has a hyperlink to the World LII. (If the selected resource is not free, LawSauce displays a dollar sign.) Tap the link to open your device's browser and go to the World LII.

top

Use of Tor and E-Mail Crypto Could Increase Chances that NSA Keeps Your Data (ArsTechnica, 20 June 2013) - Using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for US-based communications to be retained by the National Security Agency even when they're collected inadvertently, according to a secret government document published Thursday. The document, titled Minimization Procedures Used by the National Security Agency in Connection with Acquisitions of Foreign Intelligence , is the latest bombshell leak to be dropped by UK-based newspaper The Guardian . It and a second, top-secret document detail the circumstances in which data collected on US persons under foreign intelligence authority must be destroyed or can be retained. The memos outline procedures NSA analysts must follow to ensure they stay within the mandate of minimizing data collected on US citizens and residents. While the documents make clear that data collection and interception must cease immediately once it's determined a target is within the US, they still provide analysts with a fair amount of leeway. And that leeway seems to work to the disadvantage of people who take steps to protect their Internet communications from prying eyes. For instance, a person whose physical location is unknown-which more often than not is the case when someone uses anonymity software from the Tor Project-"will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person's communications give rise to a reasonable belief that such person is a United States person," the secret document stated. And in the event that an intercepted communication is later deemed to be from a US person, the requirement to promptly destroy the material may be suspended in a variety of circumstances. Among the exceptions are "communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis."

top

Data Breaches: Telcos And ISPs Have 24 Hours to Come Clean, Says EU (ZDnet, 24 June 2013) - Telcos and ISPs that serve European customers will have to come clean on data breaches within 24 hours under new EU regulations. Under the regulations , telecoms operators and ISPs operating in Europe will have to notify national data protection authorities within 24 hours where personal data has been lost, stolen or "otherwise compromised". Usually companies will have to disclose the nature and size of the breach within 24 hours, but where this isn't possible they must submit "initial information" within this time before providing full details within three days. Affected firms will be required to spell out which pieces of information have been compromised and what measures have been, or will be, applied by the company to put this right. Businesses and consumers will be notified of the breach if it is felt it "is likely to adversely affect personal data or privacy", under the terms of a test provided by the European Commission. The regulation will require companies to pay particular attention to the type of data compromised, particularly where the breach includes financial information, location data, internet log files, web browsing histories, email data, and itemised call lists. European ISPs and telcos have been obliged to inform national authorities and subscribers about breaches of personal data since 2011, but this regulation spells out how to fulfill this obligation - adding requirements such as the 24-hour window for notification. [Polley: See also Encryption would exempt ISPs from data breach notification to EU customers (Network World, 24 June 2013).]

top

New "E-Proxy Handbook" (CorporateCounsel.net, 25 June 2013) - Spanking brand new. Posted in our " E-Proxy" Practice Area , this comprehensive " E-Proxy Handbook " provides a heap of practical guidance about how to deal with Rule 14a-16. This one is a real gem - 39 pages of practical guidance.

top

American Bankers' Association Claims Routing Numbers Are Copyrighted (TechDirt, 25 June 2013) - Reader J Cronin alerts us to the apparent fact that the American Bankers Association (ABA) believes that federal routing numbers are covered by its own copyright, and they've sent a takedown letter to a website that published routing numbers. Greg Thatcher runs a website that, among other things, publishes bank routing numbers . Those are the numbers that appear on the bottom of checks that basically tell you how to send the banks money. Thatcher gets those numbers directly from the Federal Reserve's website . Having a single source for those numbers is really useful for people trying to wire money, so you can see why Thatcher's page would be really popular with lots of people.

top

Second Circuit Suggests that the Plain View Exception Should Be Applied More Narrowly to Digital Searches (Volokh Conspiracy by Orin Kerr, 25 June 2013) - As regular readers know, I am very interested in the scope of the plain view exception for computer searches. In physical searches, if the government comes across evidence unrelated to the search it is lawfully conducting, the government can seize that evidence as long as its incriminating nature is immediately apparent. I have argued that this rule is troublesome in the context of digital searches because everything comes into plain view in computer searches. A computer warrant for anything becomes a warrant for everything, making every computer warrant a general warrant in practice. To counter that dynamic, I have argued that the plain view exception should not apply to digital searches. See Orin Kerr, Searches and Seizures in a Digital World, 119 Harv. L. Rev. 531 (2005) . * * * I was very interested to see the Second Circuit's decision today in United States v. Galpin . First, the opinion agrees that the scope of computer searches raises special problems: "The potential for privacy violations occasioned by an unbridled, exploratory search of a hard drive is enormous. This threat is compounded by the nature of digital storage. Where a warrant authorizes the search of a residence, the physical dimensions of the evidence sought will naturally impose limitations on where an officer may pry: an officer could not properly look for a stolen flat-screen television by rummaging through the suspect's medicine cabinet, nor search for false tax documents by viewing the suspect's home video collection. Such limitations are largely absent in the digital realm, where the size or other outwardly visible characteristics of a file may disclose nothing about its content."

top

EU Asserts Jurisdiction Over Google's Servers (Peter Vogel, 28 June 2013) - Internet jurisdiction may have taken an interesting turn now that the EU asserted that servers outside the EU are subject to EU law. On June 25, 2013 Niilo Jaaskinen, the independent Advocate General of the European Court of Justice, issued an Opinion that the EU Data Protective Directive applies to search engines that contain data about EU citizens. That is, regardless of the location of the servers, the EU claims it has jurisdiction over Google, and other search engines. The Washington Post reported that: …Google or other companies cannot argue they are not subject to local data regulators' authority because their servers are physically located in another country.

top

No New Trials When Jurors Haven't Adequately Disclosed Facebook Friendships (Eric Goldman's blog, 28 June 2013) - Three recent cases all raise the same issue: does an undisclosed Facebook relationship between a juror and someone involved in the case warrant a new trial. In several recent cases, the answer was: no. * * *

top

RESOURCES

"FTC Regulation of Social Media" Talk Slides and Recording (Eric Goldman, 20 June 2013) - " Last week, I spoke at the 16th Annual FDA-OCRA 2013 Educational Conference in Irvine to an audience of medical device and pharmaceutical compliance professionals. My topic was how the FTC regulates social media, with an emphasis on goods normally regulated by the FDA. My co-panelist had the even harder job of trying to distill the FDA's (lack of) guidance on social media marketing. My talk slides . I also made an audio recording (item #38). Note I started the recording about 90-120 seconds into the talk, but nothing crucial got omitted."

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Funding For TIA All But Dead (Wired, 14 July 2003) -- The controversial Terrorism Information Awareness program, which would troll Americans' personal records to find terrorists before they strike, may soon face the same fate Congress meted out to John Ashcroft in his attempt to create a corps of volunteer domestic spies: death by legislation. The Senate's $368 billion version of the 2004 defense appropriations bill, released from committee to the full Senate on Wednesday, contains a provision that would deny all funds to, and thus would effectively kill, the Terrorism Information Awareness program, formerly known as Total Information Awareness. TIA's projected budget for 2004 is $169 million. TIA is the brainchild of John Poindexter, a key figure from the Iran-Contra scandal, who now heads the research effort at the Defense Advanced Research Projects Agency. Critics on the left and right have called TIA an attempt to impose Big Brother on Americans. The program would use advanced data-mining tools and a mammoth database to find patterns of terrorist activities in electronic data trails left behind by everyday life. The Senate bill's language is simple but comprehensive: "No funds appropriated or otherwise made available to the Department of Defense ... or to any other department, agency or element of the Federal Government, may be obligated or expended on research and development on the Terrorism Information Awareness program." The removal of funds from the program marks the strongest Congressional reaction to TIA since it first gained prominent media attention in November 2002. The Senate likely will vote on and pass the bill early next week as lawmakers hope to send the spending bill to the White House before Congress recesses in August. After the Senate votes, the provision's fate will be decided by a joint committee, which will reconcile the Senate's bill with the House version. The House version contains no explicit provision to deny funds to TIA. But Congress watchers say opponents of the TIA likely will succeed in killing it. "The provision was added by the consensus of the committee," said David Carle, a spokesman for Sen. Patrick Leahy, a member of the Defense Appropriations subcommittee. Carle also said that the drive to include the provision denying funds was led by Republican Sen. Ted Stevens, who chairs both the defense subcommittee and the appropriations committee. "The defunding has a chance of surviving committee," said Ari Schwartz, associate director of the Center for Democracy and Technology. "If Stevens is behind it, then it almost certainly will happen."

top

Are Wiretap Orders Unnecessary in an Age of Cheap Electronic Storage? (Steptoe & Johnson's E-Commerce Law Week, No. 239) -- Wiretaps have always been the most sensitive tool in law enforcement's kit, and obtaining a wiretap order is expensive as well as difficult. Getting a search warrant, in contrast, is an everyday matter in police departments around the country. A recent federal court's decision raises the prospect that wiretap orders for electronic communications could be almost entirely replaced by search warrants. In United States v. Councilman, a Massachusetts federal court has made it possible to characterize almost all electronic communications as "stored communications" -- which may be accessed by police armed only with a search warrant (or less) -- rather than as communications in transit, which require a full-blown wiretap order.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, June 08, 2013

MIRLN --- 19 May – 8 June 2013 (v16.08)

MIRLN --- 19 May - 8 June 2013 (v16.08) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Lawsuit Says IRS Illegally Seized 60 Million Health Records (NextGov, 15 May 2013) - A lawsuit filed in California accuses the Internal Revenue Service of illegal seizure of 60 million electronic health care records belonging to 10 million Americans. The suit filed in the Superior Court of San Diego by Robert Barnes, a Malibu lawyer representing a corporate client named John Doe Co., charged that IRS agents raided the company on March 11, 2011, in a tax case and seized the medical records. Barnes alleged in the suit -- which was filed March 11, 2013, and surfaced Wednesday -- that the "medical records contained intimate and private information of more than 10,000,000 Americans, information that by its nature includes information about treatment for any kind of medical concern, including psychological counseling, gynecological counseling, sexual or drug treatment, and a wide range of medical matters covering the most intimate and private of concerns." The suit said the 15 IRS agents involved in the raid did not have a search warrant or subpoena for the medical records which "may concern the intimate medical records of every state judge in California, every state court employee in California, leading and politically controversial members of the Screen Actors Guild and the Directors Guild, and prominent citizens in the world of entertainment, business and government, from all walks of life." Lawsuit here .

top

EPIC Files Complaint Against Snapchat With FTC (LA Times, 17 May 2013) - A privacy watchdog group is going after Snapchat for deceiving users about self-destructing messages that don't actually self-destruct. The smartphone app has become popular with young people for sending messages that a few seconds later disappear. That clever disappearing act has made the Los Angeles start-up a hit with users and some prominent investors in Silicon Valley. But it turns out that photos sent over Snapchat have a longer shelf life than people think. They don't vanish -- at least not entirely -- and can be retrieved in some cases. The Electronic Privacy Information Center on Friday filed a complaint with the Federal Trade Commission. "Snapchat is the app that promises to delete photos but it doesn't," said Marc Rotenberg, EPIC's executive director. "We have no problem with apps that make photos vanish. But they should work as promised, and if they don't the Federal Trade Commission should investigate." Snapchat does warn users in its privacy statement: "Although we attempt to delete image data as soon as possible after the message is received and opened by the recipient ... we cannot guarantee that the message contents will be deleted in every case."

top

Judge's Facebook Friendship With Victim's Parent Does Not Taint Proceeding (Venkat Balasubramani, 17 May 2013) - Youkers was convicted for tampering with evidence after he was indicted for assaulting his girlfriend who was pregnant with his child. He entered into a plea deal under which his prison sentence would be suspended and he would have to pay a fine. Three months after the deal, the State filed a motion to revoke the suspended sentence (and send Youkers to prison), contending that he violated the terms of his supervision. Younkers entered an "open plea of true" and sought leniency on the basis that while he did not previously have a stable place to live, he did now. The trial judge rejected his contentions and sentenced him to 8 years in prison. The judge also rejected his request for a new trial. Youkers appealed, and raised (among other issues) the fact that (1) the trial judge was Facebook friends with the victim's father and (2) in the context of the initial proceeding, the victim's father sent the trial judge an ex parte communication in the form of a Facebook message. The appeals court says none of this rises to the level of improper bias. Youkers v . Texas, No. 05-11-01407-CR (Tx. Ct. App. May 15, 2013) [ pdf ] [Polley: good discussion - worth reading.]

top

AP's Attempt At DRM'ing the News Shuts Down (TechCrunch, 17 May 2013) - Plenty of people rightly mocked the news a few years ago that the Associated Press was working on a plan to "DRM the news." The idea was to put some sort of licensing mechanism together to get news aggregators to pay to promote their news. This seemed incredibly dumb for a whole host of reasons. It added no value. Its only purpose was to limit the value for everyone in the system by putting a tollbooth where none needed to exist. When it finally launched last year to great fanfare in the newspaper world, under the name "NewsRight," we pointed out that, once again, it made no sense. Basically, the whole focus appeared to be on getting bloggers and aggregators to pay for a license they legally did not need. Since the launch... we heard absolutely nothing about NewsRight. There was a launch, with its newspaper backers claiming it was some huge moment for newspapers, and then nothing. Well, until now, when we find out that NewsRight quietly shut down . Apparently, among its many problems, many of the big name news organization that owned NewsRight wouldn't even include their own works as part of the "license" because they feared cannibalizing revenue from other sources. So, take legacy companies that are backwards looking, combine it with a licensing scheme based on no legal right, a lack of any actual added value and (finally) mix in players who are scared of cannibalizing some cash cow... and it adds up to an easy failure.

top

- and -

Does Law Ratchet Infringe Bloggers' Copyrights? (Robert Ambrogi, 23 May 2013) - Yesterday, I wrote a post here about the debut of Law Ratchet , a site that aggregates legal news and blog posts. Afterwards, a reader emailed me asking a key question my post did not address - that of whether Law Ratchet is violating the copyrights of the publishers and bloggers whose stories it is picking up. For many of the articles Law Ratchet picks up, it is republishing them in full on its own site, complete with images. For example, yesterday Orin Kerr published a post on The Volokh Conspiracy titled, Peering Through A Window Next to A Front Door Held to Be A Fourth Amendment Search . Now compare Kerr's post as it appeared on Law Ratchet . It is there in full text - not a snippet, not a simple link. In some cases, however, Law Ratchet is displaying articles in a different way. For articles from certain "mainstream" news sources, Law Ratchet displays a bifurcated page. The top half of the page shows a summary of the article. The bottom half frames the original source page containing the full story. So is Law Ratchet violating copyright law by republishing these stories on its own site? Is this any different from what Google Reader does? For that matter, is Google Reader (or Google News) violating copyright law? The answer is not as straightforward as you might expect. Just recently, in The Associated Press v. Meltwater , a federal judge in New York ruled that the Meltwater media monitoring service infringed AP's copyright by scraping news stories from the web and providing excerpts to its subscribers. The judge rejected Meltwater's fair use defense, finding that Meltwater was simply capturing and republishing AP's content in order to make money from it. Law Ratchet would have an even weaker fair use defense, given that it is republishing entire articles just as they were originally published elsewhere. But another defense to copyright infringement is that the republisher had an implied license to use the content. In the case of blogs, the argument has long been made that distributing the blog's content through an RSS feed constitutes a license to others to do what they may with the content. Eric Goldman discussed this in a post in 2005 * * *

top

Chinese Hackers Who Breached Google Gained Access to Sensitive Data, U.S. Officials Say (Washington Post, 20 May 2013) - Chinese hackers who breached Google's servers several years ago gained access to a sensitive database with years' worth of information about U.S. surveillance targets, according to current and former government officials. The breach appears to have been aimed at unearthing the identities of Chinese intelligence operatives in the United States who may have been under surveillance by American law enforcement agencies. It's unclear how much the hackers were able to discover. But former U.S. officials familiar with the breach said the Chinese stood to gain valuable intelligence. The database included information about court orders authorizing surveillance - orders that could have signaled active espionage investigations into Chinese agents who maintained e-mail accounts through Google's Gmail service. Last month, a senior Microsoft official suggested that Chinese hackers had targeted the company's servers about the same time that Google's system was compromised. The official said Microsoft concluded that whoever was behind the breach was seeking to identify accounts that had been tagged for surveillance by U.S. national security and law enforcement agencies.

top

Court Finds Fantasy Stories Obscene (TechDirt, 20 May 2013) - Obscenity law and the First Amendment tend to run into each other from time to time and the whole "I know it when I see it" concept makes things a bit arbitrary in the best of situations. Still, it's pretty standard for people to assume questions of obscenity revolve around imagery -- still or video -- rather than written works. Text and stories often explore taboo subjects, but still are seen to have legitimate literary value. Stories like Vladimir Nabokov's Lolita involve somewhat horrifying concepts, but generally are still considered legitimate works of literature. In an age of easy creation for user-generated content, fan fiction and the like, it is not uncommon for things like slash fiction or related fan fiction to involve incredibly graphic scenes. Whether or not you see the appeal (and, personally, I don't get it at all), it's difficult to step aside and say that a particular form of storytelling should be judged as obscene and illegal. When it's purely fiction, and no one is being harmed or forced to participate and/or experience the work against their will, it is difficult to see what sort of harm has been caused. That is, perhaps, why it is "very rare" for there to be obscenity prosecutions for purely text-based works of fiction. Rare, but not unknown. Just recently a federal district court in Georgia ruled that a series of stories written or edited by Frank McCoy were obscene, and thus he violated 18 USC 1462 in "transporting" obscene works. McCoy challenged whether or not the stories themselves could be considered obscene. As you might imagine, the subject matter is not mainstream. It is definitely on the extreme. Just reading the descriptions from the court case, which I will not repeat here, made me cringe and feel extremely uncomfortable. We're talking about extremely taboo subjects that are somewhat horrifying even just to read. But, again, one could argue the same sorts of things about Lolita, or any number of other works. Should they, too, be deemed obscene? It seems like a dangerous slippery slope, especially when we're talking about purely written material. In this case, McCoy even had a distinguished English professor testify on his behalf that the works had "serious literary, artistic, political or scientific value."

top

Do LinkedIn Endorsements Violate Legal Ethics Rules? (ABA Journal, 21 May 2013) - Legal blogger Robert Ambrogi received an email alert this morning notifying him that an Internet acquaintance he's never met or spoken to had endorsed his litigation skills on LinkedIn. Ambrogi says that is not uncommon for connections with no firsthand knowledge of his skills to endorse him on LinkedIn, a favorite social media site among business executives. MediaPost noted a recent survey of executives that found nine out of 10 of them said they used LinkedIn "often" or "very often." But Robert Ambrogi's LawSites was prompted to ask the question: Do these endorsements violate legal ethics? The answers he found varied and in some cases contradicted one another. Under the ABA Model Rule 7.1, a lawyer is not to make any false or misleading claims about his or her services. "If a lawyer permits an endorsement to remain on the lawyer's LinkedIn profile that the lawyer knows to be misleading, even if someone else posted the endorsement, that would seem to be a problem under Rule 7.1," Ambrogi wrote. Andrew Perlman, Suffolk University Law School professor and director of its Institute on Law Practice Technology and Innovation, raised the same Rule 7.1 questions as Ambrogi in a January post at Legal Ethics Forum (Perlman was chief reporter for the ABA Commission on Ethics 20/20). However, Michael Downey, former chair of the Illinois State Bar Association Standing Committee on Professional Conduct, said in an interview with Illinois Bar Journal that truthful endorsements are OK. Just because the endorser does not know you directly does not make it a false statement, Downey said. Ambrogi noted both sources in his post. "I am no ethics expert," Ambrogi writes, "However, I think it is significant that LinkedIn provides the ability to "hide" endorsements others have given you." Ambrogi suggests users remove endorsements they believe are false or misleading.

top

Snow Fail: The New York Times And Its Misunderstanding Of Copyright (TechCrunch, 21 May 2013) - You remember Snow Fall , don't you? It was that awesome interactive reporting piece by The New York Times that everyone talked about for a week. The New York Times spent months and had an entire team working on the creation of Snow Fall, and it shows. But what if I told you that you could recreate the same interactive experience in just about an hour? You'd like that, wouldn't you? Well, The New York Times wouldn't. Cody Brown, co-founder of interactive web design tool Scroll Kit, did just that. He recreated the Snow Fall piece using Scroll Kit to show that you didn't need an army of developers or designers to create the same type of interactive storytelling. In fact, the tools exist today to build other compelling narratives that take advantage of the combination of text, and video, and images. To show how easy it was, Brown recorded a video of the process, showing how a user could create the same type of experience in under an hour. And he uploaded it to YouTube, and posted it to the Scroll Kit website. There, he introduced it this way: "The NYT spent hundreds of hours hand-coding 'Snow Fall.' We made a replica in an hour." The video lived there for about a month, Brown tells me, before receiving a letter from The New York Times legal team , demanding that the video be taken down. After consulting with Scroll Kit's legal counsel, the team complied with the takedown request, kind of. They actually set the video to private on YouTube so that no one could see it. But they kept the line about making a replica of Snow Fall on the website. Because, well, it was true . It wasn't long before another C&D nastygram from The New York Times arrived, demanding that they not only delete the video from YouTube - which they eventually did - but that they remove any reference to The New York Times from their website.

top

How Does Copyright Work In Space? (The Economist, 22 May 2013) - Chris Hadfield has captured the world's heart, judging by the 14m YouTube views of his free-fall rendition of David Bowie's "Space Oddity", recorded on the International Space Station (ISS). The Canadian astronaut's clear voice and capable guitar-playing were complemented by his facility in moving around in the microgravity of low-earth orbit. But when the man fell to Earth in a neat and safe descent a few days ago, after a five-month stay in orbit, should he have been greeted by copyright police? Commander Hadfield was only 250 miles (400 km) up, so he was still subject to terrestrial intellectual-property regimes, which would have applied even if he had flown the "100,000 miles" mentioned in the song's lyrics, or millions of kilometres to Mars. His five-minute video had the potential to create a tangled web of intellectual-property issues. How does copyright work in space? The song "Space Oddity" is under copyright protection in most countries, and the rights to it belong to Mr Bowie. But compulsory-licensing rights in many nations mean that any composition that has been released to the public (free or commercially) as an audio recording may be recorded again and sold by others for a statutorily defined fee, although it must be substantively the same music and lyrics as the original. But with the ISS circling the globe, which jurisdiction was Commander Hadfield in when he recorded the song and video? Moreover, compulsory-licensing rights for covers of existing songs do not include permission for broadcast or video distribution. Commander Hadfield's song was loaded onto YouTube, which delivers video on demand to users in many countries around the world. The first time the video was streamed in each country constituted publication in that country, and with it the potential for copyright infringement under local laws. Commander Hadfield could have made matters even more complicated by broadcasting live as he sang to an assembled audience of fellow astronauts for an onboard public performance while floating from segment to segment of the ISS. The song "Space Oddity" is under copyright protection in most countries, and the rights to it belong to Mr Bowie. But compulsory-licensing rights in many nations mean that any composition that has been released to the public (free or commercially) as an audio recording may be recorded again and sold by others for a statutorily defined fee, although it must be substantively the same music and lyrics as the original. But with the ISS circling the globe, which jurisdiction was Commander Hadfield in when he recorded the song and video? Moreover, compulsory-licensing rights for covers of existing songs do not include permission for broadcast or video distribution. Commander Hadfield's song was loaded onto YouTube, which delivers video on demand to users in many countries around the world. The first time the video was streamed in each country constituted publication in that country, and with it the potential for copyright infringement under local laws. Commander Hadfield could have made matters even more complicated by broadcasting live as he sang to an assembled audience of fellow astronauts for an onboard public performance while floating from segment to segment of the ISS. [Polley: Spotted by MIRLN reader Roland Trope .]

top

Publicity Rights Aren't Property Rights: Appellate Court Gets It Very Wrong in Hart v. EA (EFF, 22 May 2013) - Bad facts make bad law: it's legal cliché that is unfortunately based on reality. We saw as much yesterday, in the case of Ryan Hart v. Electronic Arts. Presented with a situation that just seemed unfair, the Third Circuit Court of Appeals proceeded to make a whole bunch of bad law that puts dollars ahead of speech. Here are the facts: Electronic Arts sells a videogame called NCAA Football.; Part of the success of the game is based on its realism and detail-including its realistic digital avatars of college players. One of those players was Ryan Hart, who played for Rutgers University from 2002 to 2005. NCAA Football did not use Hart's name, but the game included an avatar with Hart's Rutgers team jersey number, biographical information, and statistics. Trouble is, no one asked Hart if he wanted to be part of the game. Nor did anyone pay him for it-they couldn't, because college players aren't allowed to accept money for any kind of commercial activity. When Ryan discovered the game, he sued EA based on a lesser-known but pernicious legal doctrine, the right of publicity. The right of publicity a funny offshoot of privacy law that gives a (human) person the right to limit the public use of her name, likeness and/or identity, particularly for commercial purposes like an advertisement. The original idea was that using someone's face to sell soap or gum, for example, might be embarrassing for that person and that she should have the right to prevent it. While that might makes some sense in a narrow context, states have expanded the law well beyond its original boundaries. For example, the right was once understood to be limited to name and likeness, but now it can mean just about anything that "evokes" a person's identity, such as a phrase associated with a celebrity (like " Here's Johnny, ") or even a robot dressed like a celebrity . And in some states, the right can now be invoked by your heirs long after you are dead and, presumably, in no position to be embarrassed by any sordid commercial associations. In other words, it's become a money-making machine. But there has traditionally been at least one limit on publicity claims: the First Amendment. In a nutshell, courts are supposed to balance a person's right to control the use of her identity against others' right to expressive speech - including videogames. Unfortunately, the Third Circuit just threw that balance way out of whack. * * *

top

What Law Firms Should Know About Cyberattacks and the FBI (ABA Journal, 23 May 2013) - The steady rise of cyberattacks against U.S. companies-with damages that include tens of millions of dollars, lost trade secrets and threats to critical infrastructures-has prompted the FBI to even more greatly stress the importance of information-sharing on cyber intrusions. However, the decision to share sensitive data about a company or law firm's network comes with major legal considerations and should include discussions with legal department heads and outside counsel, Corporate Counsel reports. "You have to really figure out what exactly you're going to be willing to do," said DeVore & DeMarco partner Joseph DeMarco at a New York Bar Association event this week covered by Corporate Counsel. DeMarco specialized in cybercrime as an assistant U.S. Attorney. "These are voluntary requests for information. They don't come with immunity." Attackers could be state-sponsored actors, organized criminal groups, individual hackers or "hacktivists," company insiders, or terrorists, according to FBI "cyber cop" Mary Galligan. Many law firms first learn they've been attacked not from internal sources-but from the government, she said at the New York City Bar Association event. "What happens with the FBI is right now, approximately 60 percent of the time, we are going out and telling a company that they have been intruded upon," Galligan said. Although the FBI hasn't always notified companies of an attack, that policy has changed in the past three years in light of several serious attacks against U.S. banks and an executive order mandating information-sharing, she said. "The government is-and especially after the executive order-sharing information as fast as we can get it," Galligan told attendees, according to Corporate Counsel. Despite these efforts, unless general counsel and outside law firms are involved in these security issues from the start and have instituted a recovery plan in the event of a breach, it can be very difficult for the government to help, Galligan noted. "The law has not kept up with the issue," she said, according to Corporate Counsel. "So I've had companies and banks say, 'OK, come on in and help us,' but they can't give us consent for that." Many firms don't even know what their networks look like or what's on their servers, she added. Hogan Lovells partner and former IBM security counsel Harriet Pearson emphasized the complicated legal issues lawyers must be prepared for in the event of a cyberattack and subsequent government involvement. [Polley: Next month the ABA will publish The ABA Cybersecurity Handbook: A Resources for Attorneys, Law Firms and Business Professionals , with chapters on sources of the risk, legal and ethical obligations, practice-setting specifics, planning and recovery, and insurance. I've been heavily involved in this, and think it'll be an invaluable tool for US lawyers of all stripes. More to come later.]

top

The 20 Worst Data Breaches (Background Checks, 25 May 2013) - The information technology age has brought with it a new opportunity for the criminally minded. Unfortunately, our government agencies and corporations have not always been as guarded as they could be against those determined to gain access to the vital data they store. Through a combination of hacking and social engineering techniques, digital thieves have made off with identity information, hampered affairs of state, and even stolen millions of dollars. Here are 20 of some of the most damaging, notorious, or notable data breaches presented in chronological order. [Polley: generally useful, chronological summary of big breaches from Card Systems (2005) thru Global Payments (2012).]

top

Masterworks for One and All (NYT, 28 May 2013) - Many museums post their collections online, but the Rijksmuseum here has taken the unusual step of offering downloads of high-resolution images at no cost, encouraging the public to copy and transform its artworks into stationery, T-shirts, tattoos, plates or even toilet paper. The museum, whose collection includes masterpieces by Rembrandt, Vermeer, Mondrian and van Gogh, has already made images of 125,000 of its works available through Rijksstudio , an interactive section of its Web site. The staff's goal is to add 40,000 images a year until the entire collection of one million artworks spanning eight centuries is available, said Taco Dibbits, the director of collections at the Rijksmuseum. "We're a public institution, and so the art and objects we have are, in a way, everyone's property," Mr. Dibbits said in an interview. "'With the Internet, it's so difficult to control your copyright or use of images that we decided we'd rather people use a very good high-resolution image of the 'Milkmaid' from the Rijksmuseum rather than using a very bad reproduction," he said, referring to that Vermeer painting from around 1660. Until recently, museums had been highly protective of good-quality digital versions of their artworks, making them available only upon request to members of the press or to art historians and scholars, with restrictions on how they could be used. The reasons are manifold: protecting copyrights, maintaining control over potentially lucrative museum revenues from posters or souvenirs and preventing thieves or forgers from making convincing copies. In recent years, though, as the Google Art Project has begun to amass a global archive of images with the cooperation of museums and the Internet has made it impossible to stem the tide of low-quality reproductions, institutions are rethinking their strategy. "We've gotten over that hurdle," said Deborah Ziska, a spokeswoman for the National Gallery of Art in Washington. "I don't think anyone thinks we've cheapened the image of the 'Mona Lisa.' People have gotten past that, and they still want to go to the Louvre to see the real thing. It's a new, 21st-century way of respecting images." The National Gallery has so far uploaded about 25,000 works to share with the public. "Basically, this is the wave of the future for museums in the age of digital communications," Ms. Ziska said. "Sharing is what museums need to learn to do." The Rijksmuseum has been able to put its works online more quickly because much of its collection predates Dutch copyright laws and its staff had an opportunity to digitize the collection when museum was closed for renovations. [Polley: Spotted by MIRLN reader Corinne Cooper .]

top

- and -

Art and Copyright in the Age of Compulsive Looking (TechDirt, 31 May 2013) - We wrote recently about how the rise of mobile phones with built-in cameras has led to an irresistible urge to record our experiences everywhere with a digital picture. But what happens when those experiences include works of art, which may still be under copyright? That's the interesting question an article in Art News explores : We're in an age when people take pictures just about everywhere, an act that photography critic Jörg M. Colberg describes as "compulsive looking." The phenomenon has created a unique set of challenges for art museums, many of which have historically had strict limitations on photography -- either for the purpose of protecting light-sensitive works or because of copyright issues. The good news is that some art museums are beginning to revisit their old rules, not least because they themselves are starting to share images through social media. As devices shrink and become always-on -- think Google Glass -- that problem will only grow, as copyright designed for the eighteenth century clashes with technology from the twenty-first century. In a sense, this is the visual equivalent of attempts to stop unauthorized sharing of files online. That's not only futile, but causes copyright companies and governments to obsess about something that is not really a problem, as numerous posts on TechDirt have pointed out. Art museums seem to be learning that it's better to embrace change and turn it to their advantage; it's time others did the same, and started looking at the bigger picture.

top

In Reversal, Judge Orders Child Porn Suspect to Decrypt Hard Drives (Ars Technica, 28 May 2013) - A federal judge who had previously declined to force a Wisconsin suspect to decrypt several hard drives believed to contain child pornography has now changed his mind. After considering new evidence, the judge wrote in an order last week (PDF) that the Milwaukee-area man now must either enter the passwords for the drives without being observed by law enforcement or government counsel or must provide an unencrypted copy of the data. In April 2013, Jeffrey Feldman was ordered by a United States Attorney to help federal authorities execute a search warrant on a collection of his own hard drives. The government claimed that it has probable cause to believe that these drives contain child pornography. Feldman , a computer scientist and software developer at Rockwell Automation Inc., has yet to be charged with a crime. As we reported previously , forcing a defendant to decrypt a hard drive can amount to self-incrimination if the government can't otherwise show that the defendant has the password for the drive. In such a case, forced decryption amounts to a forced confession that the defendant owns the drive. Earlier in this case, Judge William Callahan had ruled that compelling Feldman to provide the passwords for the hard drives would violate his Fifth Amendment right against self-incrimination. According to the order (PDF), after devoting "substantial resources" in the case, FBI agents apparently have been able to decrypt one of the drives. The government argued that because it had found "numerous files which constitute child pornography," "detailed personal financial records and documents belonging to Feldman," and "dozens of personal photographs of Feldman," Feldman therefore has "access to and control over" the set of drives.

top

- but then -

U.S. District Judge: Forced Decryption of Hard Drives Violates Fifth Amendment (Slashdot, 5 June 2013) - hansamurai writes with an update to a story we've been following for a while. Jeffrey Feldman is at the center of an ongoing case about whether or not crime suspects can be forced to decrypt their own hard drives. (Feldman is accused of having child pornography on his hard drives.) After initially having a federal judge say Feldman was protected by the Fifth Amendment, law enforcement officials were able to break the encryption on one of his many seized storage devices. The decrypted contents contained child pornography, so a different judge said the direct evidence of criminal activity meant Feldman was not protected anymore by the Fifth Amendment. Now, a third judge has granted the defense attorney's emergency motion to rescind that decision, saying Feldman is once again (still?) protected by the Fifth Amendment .

top

The Most Important Cybersecurity Case You've Never Heard Of (Lawfare, 29 May 2013) - The case is Federal Trade Commission v. Wyndham Worldwide Corporation , a civil suit brought in the District of Arizona by the FTC relating to a cybersecurity breach at Wyndham. To understand why the case matters quite a bit, we need to step back and understand the FTC. The FTC has two grounds on which it can bring a civil lawsuit. One is an allegation of deception - in other words an argument that some consumer service organization (like, say Wyndham Hotels) had made representations to the consuming public that were false. As you may imagine allegations of that sort are often very fact specific and tied to particular circumstances. The second ground for FTC enforcement is a broader one - that a company has engaged in "unfair" business practices. In other words that a company "caused or [is] likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition." The FTC suit against Wyndham is tied to a breach of Wydham's computer systems by a Russian criminal organization that, allegedly, resulted in more $10 million in fraud losses. It seeks a permanent injunction, directing Wyndham to fix its cyber systems so that they are more secure and unspecified damages. The suit asserts both grounds for FTC jurisdiction. It first alleges that Wyndham's privacy policy about how they will maintain the security of information about their customers is deceptive - in other words that Wyndham made cybersecurity promises it couldn't keep. The suit also alleges that, systematically, Wyndham's failure to provide adequate cybersecurity for the personally identifiable information of its customers is an unfair business practice. This type of lawsuit by the FTC is not unusual. These legal theories have been the foundation, for example, of the FTC's investigation of Google , Twitter and HTC, and its investigation of data breaches at large consumer companies like Heartland . In almost all of these cases, the FTC deploys some combination of the argument that a company has misled the public about the nature of its cybersecurity ("deception") or that it has failed to invest adequately in cybersecurity measures ("unfair practices"). Until now, all of these actions have resulted in out-of-court settlements, leaving the validity of the FTC's legal theories untested. But now - in the Wyndham case - the FTC's authority is being questioned. As the Wall Street Journal recently reported , Wyndham is challenging the basic premise of the FTC's suit, arguing that consumer protection statutes cannot be stretched to cover cybersecurity issues. Wyndham has argued that the lawsuit exceeds FTC's enforcement authority - a position supported by the Chamber of Commerce . The principal evidence that the FTC may be acting beyond its authority is its own report from 2000, in which it asked Congress to expand its legal authority to consider security breaches as consumer-protection issues. Congress has never acted on that request, but the FTC has decided to proceed anyway. Indeed, as Wyndham notes, there are a host of more specific data-security laws already on the books (HIPPA; COPPA; Graham-Leach-Bliley; Fair Credit Reporting), suggesting that there has not been a broad, general grand of data-breach security regulatory authority to the FTC.

top

Tech Firm Publishes Free Copyright Treatise (Robert Ambrogi, 30 May 2013) - In the early days of the Web, before law firms discovered blogs, they would sweeten the allure of their websites by filling them with content intended to show off their knowledge and expertise. Law firm websites often included FAQs about specific areas of law and some of the more ambitious firms had what amounted to mini-treatises on legal topics. But as more and more firms decided that blogging was the better way to add content to their sites, these sorts of pages all but disappeared. Now, an IP and technology law firm is reviving that approach, but in a decidedly contemporary way. The law firm Adler Vermillion & Skocilich, which has offices in Brooklyn, N.Y., and Seattle, Wash., is publishing the Copyright Codex: A Free Treatise for Lawyers and Artists . The treatise is described as an attempt "to make copyright law useful and accessible for designers, coders and lawyers," and it does a good job of achieving that. While this is no Nimmer on Copyright in the span of its coverage, it nonetheless goes into a fair degree of detail on many topics. It includes discussion of specific cases and how they flesh out various concepts. The treatise is well organized using drop-down menus from seven main categories: Basics, License, Rights, Infringement, Fair Use, Litigate and Copyright Act. Within the drop-down menus are subtopics and sub-subtopics. The whole thing is searchable, of course.

top

Government Announces New Mobile Security Guidelines (RideTheLightning, 31 May 2013) - Last week, White House officials announced a series of new resources and initiatives, including new mobile security guidelines, designed to help implement the administration's vision of delivering government information securely anytime, anywhere and on any device. A lofty vision, to be sure. U.S. CIO Steven VanRoekel and federal CTO Todd Park announced that the White House Office of Management and Budget has published the first government-wide set of mobile computing security guidelines. The guidelines include a baseline of standard security requirements for mobile computing, a mobile computing decision framework for federal agencies and a mobile security reference architecture . The documents are significant not only in spelling out ways for agencies and industry to develop safer mobile products for use on government networks, but also because of the active roles played by the Department of Homeland Security, the Department of Defense and the National Institute of Standards and Technology in developing them. VanRoekel also announced the implementation of a government-wide digital analytics program across all federal websites. "That means for the first time, we have insight about what information the public is looking for, where they're looking for it and if they're able to find it -- essential to our goal of easing access to government information," he said.

top

Skype Does NOT Provide Secure Communications (RideTheLightning, 3 June 2013) - Over the weekend, I read yet again about how many lawyers are using Skype in their law practice. As a recent Ars Technica article pointed out, there is a widely held misapprehension, even by experts, that Skype provides impenetrable end-to-end encryption. In fact, the Microsoft-owned company regularly scans message contents for signs of fraud, and company managers may log the results indefinitely. And this can only happen if Microsoft can convert the messages into human-readable form at will. Since Microsoft acquired Skype, the network design has been overhauled. Gone are the peer-to-peer "supernodes" made up of users with sufficient amounts of bandwidth and processing power - now there are some 10,000 Linux machines hosted by Microsoft. The decentralization that had been one of Skype's hallmarks was replaced with a much more centralized network, in which messages are easier to monitor. Ars Technica also conducted an experiment proving that Skype does indeed peek into messages. Read the article and determine for yourself whether Skype is an appropriate vehicle for attorney confidential communications.

top

New York State Launches Investigation of Top Insurance Companies' Cybersecurity Practices. Who's Next? (Francoise Gilbert, 4 June 2013) - The State of New York has launched an inquiry into the steps taken by the largest insurance companies to keep their customers and companies safe from cyber threats. This is the second inquiry of this kind. Earlier this year, a similar investigation targeted the cyber security practices of New York based financial institutions. On May 28, 2013, the New York Department of Financial Services (DFS) issued letters pursuant to Section 308 of the New York Insurance Law ("308 Letters") to 31 of the country's largest insurance companies, requesting information on the policies and procedures they have in place to protect health, personal and financial records in their custody against cyber attacks. Among other things, the 308 Letters request:

  • Information on any cyber attacks to which the company has been subject in the past three years;
  • The cyber security safeguards that the company has put in place;
  • The company's information technology management policies;
  • The amount of funds and other resources that are dedicated to cyber security;
  • The company's governance and internal control policies related to cyber security
[Polley: see also The State of Security (Tripwire, 3 June 2013)]

top

Court Says Copying Journal Articles To Show Prior Art In Patent Proceedings Is Fair Use (TechDirt, 4 June 2013) - Last year, we wrote about how some academic journals were ridiculously claiming that law firms, who made copies of journal articles to submit to the US Patent and Trademark Office to show examples of prior art, were infringing on their copyrights. Yes, they were arguing that you couldn't use their journals as examples of prior art without paying them for the privilege. Thankfully, the USPTO stepped up and issued a memo explaining why they believed such usage was clearly protected as fair use. Still, the American Institute of Physics and Blackwell Publishing decided to sue a law firm, Winstead PC, and patent filers over the matter. The USPTO then stepped in as an "intervening defendant." Over the course of the case, the publishers finally admitted that articles submitted with patent filings themselves probably weren't infringing and dropped that claim. However, they still argued that other copies made "during the process of evaluating and selecting" material to be submitted to the USPTO were infringing (in other words, the clients and the lawyers sharing copies of the articles back and forth -- and later copies of the articles associated with patent files). The USPTO stepped in and argued that this was obviously fair use , noting the benefits to the public, the fact that none of the copying was done for "commercially exploiting" the work, that the copies are a part of a much larger process and, of course, that it doesn't compete with the primary market for the works. Oh yeah, also: "courts routinely hold that copies made in connection with government proceedings is fair use." The district court in the northern district of Texas ruled last week that the defendants are entitled to the fair use defense in a ruling from the bench.

top

New Cyber Sheriff May Seek Bigger Gun (Steptoe, 6 June 2013) - In a letter to Senate Commerce Committee Chairman Jay Rockefeller last month, new Securities and Exchange Commission Chairman Mary Jo White wrote that she had directed her staff to provide her with a briefing on current practices of the SEC for evaluating what, if any, disclosures public companies should make regarding cyberattacks and cybersecurity risks, including the overall level of compliance with the existing guidance issued in late 2011. The Federal Trade Commission and various state attorneys general have already marked their data breach territory by going after companies that have suffered breaches for failing adequately to protect data. But the prospect of the SEC's flexing greater muscle in this area means that companies that suffer a breach may face even more regulatory scrutiny in the aftermath.

top

N.S.A. Said to Gather Users' Online Data (NYT, 6 June 2013) - The federal government has been secretly gathering information on foreigners overseas for nearly six years from the nation's largest Internet companies like Google, Facebook and, most recently, Apple, in search of national security threats, according to documents that emerged Thursday and were confirmed by a senior government official. The disclosure of the classified program came just hours after government officials acknowledged a separate seven-year effort to sweep up records of telephone calls inside the United States. Together, the unfolding revelations opened a window into the growth of government surveillance that began under the Bush administration after the terrorist attacks of Sept. 11, 2001, and has clearly been embraced and even expanded under the Obama administration. Government officials defended the two surveillance initiatives as authorized under law, known to Congress and necessary to guard the country against terrorist threats. But an array of privacy advocates and libertarians said the disclosures provided the most detailed confirmation yet of what has been long suspected about what the critics call an alarming and ever-widening surveillance state. The documents on the Internet surveillance program, first posted by The Washington Post and then The Guardian, indicated that data collected from online providers could include e-mail, chat services, videos, photos, stored data, file transfers, video conferencing and logins. The program, called Prism, is authorized under a foreign intelligence law that was recently renewed by Congress, said the senior official, who added that it minimizes the collection and retention of information "incidentally acquired" about Americans and permanent residents. Several of the Internet companies issued statements strongly denying knowledge of or participation in the program. [Polley: Read the 3-page FISC subpoena . And I'm certain this is the tip of the iceberg. Very disheartening. See the first two stories from " Looking Back " below; see the Washington Post story on Prism: U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program (Washington Post, 7 June 2013) - of particular concern is the excerpt: "Intelligence analysts are typically taught to chain through contacts two "hops" out from their target, which increases "incidental collection" exponentially. The same math explains the aphorism, from the John Guare play, that no one is more than "six degrees of separation" from any other person." So, even if Prism is aimed at non-US persons, the two-hop rule will sweep up the actual contents of millions of US-persons' communications.]

top

RESOURCES

A Superb Source for Global and International Law (Robert Ambrogi, 31 May 2013) - You probably are familiar with the Legal Information Institute at Cornell University Law School, a pioneering publisher of U.S. legal materials online. But did you know that there is an international network of some 22 legal institutes and similar organizations, all devoted to providing free access to the law? While these various LIIs generally focus on the law of their own lands, one, the World Legal Information Institute , provides access to sources and collections of law from various countries, from Afghanistan and Albania to Zambia and Zimbabwe. As of this writing, it includes 1,240 databases from 123 jurisdictions, with more being added on a regular basis. Some of these materials are drawn from the various country-specific LIIs that help support this site and others are unique to the site. They are organized by countries, regions and databases, which you can browse or search. The site's LawCite search allows you to search the materials by citation, party name, jurisdiction, article title, author and other parameters. The World LII also includes the International Law Library , which it says is the most comprehensive free-access international law library on the Internet. Focused on international law, cooperation and trade, it includes decisions of international courts and tribunals, treaties and international agreements, international law journals, and law reform materials.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Ashcroft Proposes Vast New Surveillance Powers (The Register, 10 Feb 2003) -- A sweeping new anti-terrorism bill drafted by the Justice Department would dramatically increase government electronic surveillance and data collection abilities, and impose the first-ever federal criminal penalties for using encryption in the U.S. A draft of the Domestic Security Enhancement Act of 2003 dated January 9th was obtained by the non-partisan Center for Public Integrity and released Friday. The 120-page proposal would further expand many of the surveillance powers Congress granted federal law enforcement in the USA-PATRIOT Act in 2001, while increasing the secrecy surrounding some government functions. One provision in the bill would represent America's first domestic regulation of encryption, though it would apply only to those already attempting to commit a federal crime.

top

Bush Lets U.S. Spy on Callers Without Courts (New York Times, 16 Dec 2005) -- Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without the court-approved warrants ordinarily required for domestic spying, according to government officials. Under a presidential order signed in 2002, the intelligence agency has monitored the international telephone calls and international e-mail messages of hundreds, perhaps thousands, of people inside the United States without warrants over the past three years in an effort to track possible "dirty numbers" linked to Al Qaeda, the officials said. The agency, they said, still seeks warrants to monitor entirely domestic communications. The previously undisclosed decision to permit some eavesdropping inside the country without court approval was a major shift in American intelligence-gathering practices, particularly for the National Security Agency, whose mission is to spy on communications abroad. As a result, some officials familiar with the continuing operation have questioned whether the surveillance has stretched, if not crossed, constitutional limits on legal searches. "This is really a sea change," said a former senior official who specializes in national security law. "It's almost a mainstay of this country that the N.S.A. only does foreign searches." Nearly a dozen current and former officials, who were granted anonymity because of the classified nature of the program, discussed it with reporters for The New York Times because of their concerns about the operation's legality and oversight. The White House asked The New York Times not to publish this article, arguing that it could jeopardize continuing investigations and alert would-be terrorists that they might be under scrutiny. After meeting with senior administration officials to hear their concerns, the newspaper delayed publication for a year to conduct additional reporting. [Editor: This is the story-of-the-decade for me; separation of powers and Article II supremacy. I'm astounded that the Times sat on it for a year. Reminds me of a senior DOD lawyer who carries a copy of the Constitution in his suit coat pocket, and pulls it out several times a day to cite Article II authority, as if there weren't two centuries of statutory, regulatory, and case-law gloss.] Related story at http://www.salon.com/news/feature/2005/12/23/bamford/print.html ; interesting legal analysis/blog at http://balkin.blogspot.com/#113526050457460564 .]

top

UCITA Hits Snag With Lawyer Group (IT World, 12 Feb 2003) -- The future of a proposed law that would standardize software licensing agreements across the U.S. appeared to be in doubt after the American Bar Association (ABA) failed to approve it at its national meeting last week. The National Conference of Commissioners on Uniform State Laws (NCCUSL) has been pitching the Uniform Computer Information Transactions Act (UCITA) to state legislators since 1999. They have called it a "model" law that it would create uniform legislation across the country. Several software companies and groups, including the Business Software Alliance, Microsoft Corp. and IBM Corp., support UCITA, arguing that differing state software licensing laws drive up the cost of selling software. They argue that a uniform law across the United States would reduce vendors' liability costs. NCCUSL approved a series of changes to the proposed law in August 2002 in an effort to answer critics' complaints that UCITA would force restrictive licenses for shrink-wrapped or downloaded software on customers. However, six Sections of the ABA failed to approve UCITA before the ABA's mid-year meeting in Seattle this past week. On Monday, the NCCUSL withdrew a resolution recommending the ABA House of Delegates approve UCITA, according to the American Library Association, an opponent of UCITA.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top